TL;DR#
On May 23, 2023, the P2P exchange Local Traders was exploited on the BNB chain, resulting in a loss of approximately 379.32 BNB.
Introduction to Local Traders#
Local Traders is a platform offering peer-to-peer trading solutions to merchants and other users who want to explore diverse opportunities in cryptocurrencies.
Vulnerability Assessment#
The root cause of the vulnerability is a lack of permission checks in one of the functions of their smart contract.
Steps#
Step 1:
We attempted to analyse the attack transaction executed by the exploiter.
Step 2:
The function `0xb5863c10` lacked a permission check and could be called by anyone to modify the owner.
function 0xb5863c10(address varg0) public payable {
require(4 + (msg.data.length - 4) - 4 >= 32);
require(varg0 == varg0);
stor_0_0_19 = varg0;
owner_1_0_19 = msg.sender;
owner_2_0_19 = msg.sender;
stor_3 = 0x2a1766f5d000;
}
Step 3:
As viewed from this transaction, the exploiter is able to modify the contract owner using the above faulty function implementation.
Step 4:
In this transaction, it can be seen that the attacker called the `0x925d400c` function to modify the price of the token to 1.
function 0x925d400c(uint256 varg0) public payable {
require(4 + (msg.data.length - 4) - 4 >= 32);
0xcac(varg0);
require(msg.sender == owner_1_0_19, Error('You are not admin'));
stor_3 = varg0;
return varg0;
}
Step 5:
The exploiter then called the getTokenPrice function of the contract, thereby purchasing LCT tokens at a low price, which were ultimately sold for a profit worth approximately 379.32 BNB, roughly amounting to $119,040.
Step 6:
At the time of this writing, all of the stolen funds are held at this address by the attacker.
Aftermath#
Following the exploit, the team acknowledged the occurrence of the incident and stated that they have been working with their security partners to investigate the breach, assess the extent of the damage, and implement a recovery plan for the same.
They further stated that they are trying to reach out to the hacker for a bug bounty settlement. The address controlled by the attacker has been reported and blacklisted by the majority of the exchanges, making it difficult for the hacker to cash out. The team will buy back the stolen assets in four chunks worth 100 BNB each and is currently working on a recovery model for all of the users affected by this exploit.
Solution#
The exploit highlights the necessity of incorporating stringent permission checks into the functions of a smart contract to prevent unauthorized modifications, such as in this case, where the attacker was able to modify the contract owner.
To prevent similar incidents in the future, several steps could be taken:
-
In-depth audit and security review: The contracts should undergo a comprehensive and rigorous audit by a reputable and experienced security firm to uncover any potential vulnerabilities or design flaws.
-
Permission Checks: All functions that interact with key contract variables should implement robust permission checks to ensure that only authorized entities can make modifications.
-
Use of timelocks: Timelocks could be introduced for changes in contract ownership or key parameters. This would provide a window of time in which anomalous behavior could be identified and potentially halted.
-
Multi-signature governance: Implementing a multi-signature mechanism for critical contract modifications could spread the power of changes over multiple trusted parties, significantly lowering the risk of exploitation.
Despite all precautions, it's impossible to prevent all potential exploits. In such a case, the impact or aftermath of this attack could have been significantly reduced if the team associated with Local Traders had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets as a result of smart contract vulnerabilities owing to our parametric policies.
Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks: Ethereum and Arbitrum.
Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations. This service can aid in identifying potential vulnerabilities and proposing security enhancements before they can be exploited by an attacker.
Reference Source Beosin, Dedaub
